Azure
diff --git a/‎Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-SQLiDetection.yaml‎
Lines changed: 7 additions & 4 deletions b/‎Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-SQLiDetection.yaml‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-XSSDetection.yaml‎
Lines changed: 7 additions & 4 deletions b/‎Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-XSSDetection.yaml‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎Solutions/Azure Web Application Firewall (WAF)/Package/3.0.2.zip‎
19.9 KB b/‎Solutions/Azure Web Application Firewall (WAF)/Package/3.0.2.zip‎
19.9 KB
diff --git a/‎Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json‎
Lines changed: 1 addition & 1 deletion b/‎Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json‎
Lines changed: 1 addition & 1 deletion
@@ -31,13 +31,16 @@ query:  |
  | where Category == "ApplicationGatewayFirewallLog"
  | where action_s == "Matched"
  | where Message has "SQL Injection"
- | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
+ | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)
+ | extend hostname_s = tostring(parse_json(AdditionalFields).hostname_s)
+ | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message
  | join kind = inner(
  AzureDiagnostics
  | where Category == "ApplicationGatewayFirewallLog"
- | where action_s == "Blocked") on transactionId_g
+ | where action_s == "Blocked"
+ | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)) on transactionId_g
  | extend Uri = strcat(hostname_s,requestUri_s)
- | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
+ | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
  | where Total_TransactionId >= Threshold
 # The Threshold value above can be changed as per your infrastructure's requirement
 entityMappings:
@@ -49,5 +52,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: clientIp_s 
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -28,13 +28,16 @@ query:  |
  | where Category == "ApplicationGatewayFirewallLog"
  | where action_s == "Matched"
  | where Message has "XSS"
- | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
+ | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)
+ | extend hostname_s = tostring(parse_json(AdditionalFields).hostname_s)
+ | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message
  | join kind = inner(
  AzureDiagnostics
  | where Category == "ApplicationGatewayFirewallLog"
- | where action_s == "Blocked") on transactionId_g
+ | where action_s == "Blocked"
+ | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)) on transactionId_g
  | extend Uri = strcat(hostname_s,requestUri_s)
- | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
+ | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
  | where Total_TransactionId >= Threshold
 # The Threshold value above can be changed as per your infrastructure's requirement 
 entityMappings:
@@ -46,5 +49,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: clientIp_s 
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -64,7 +64,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@`
`64`	`64`	`}`
`65`	`65`	`},`
`66`	`66`	`{`
`67`		`- "name": "dataconnectors-link2",`
	`67`	`+ "name": "dataconnectors-link1",`
`68`	`68`	`"type": "Microsoft.Common.TextBlock",`
`69`	`69`	`"options": {`
`70`	`70`	`"link": {`